Re: Block OS Detection

["Robert E. Lee" <robert () outpost24 com>]

Jon DeShirley wrote:
> Changing default stack values will give you a little bit of protection
> from OS fingerprinting, but there are usually other identifiers that
> will give your stack away.  Dropping SYN+FIN, altering default TCL TTL
> values, changing the default TCP window size, and a few other things
> will fool a passive OS fingerprint.  A few of the techniques are
> documented here: http://www.zog.net/Docs/nmap.html .
>
> But this is all moot, unless you go through all your service banners
> to sanitize them and block all default services (ie: Active Directory,
> Linuxconf, or ToolTalk) that would give your platform away.
>   

This type of obfuscation was in vogue for a few years in the late 90's
and early 2000's.  It was commonly believed that an attacker would
follow the same method as a vulnerability assessor to attack a system;
namely port scan, service/system enumeration, attempt to exploit known
problems.  Because of this mistaken belief, vulnerability assessors
started recommending that their customers do things that only slow down
a vulnerability assessor (IPS that blocks port scans, Stack Obfuscation,
Banner Obfuscation, etc).

Unfortunately, this is not how automated attacks work.  In an automated
attack, the attacker simply targets a wide number of systems, attempts
the exploit of choice, and moves on to the next host if it fails.  It
doesn't care what the TCP/IP stack properties say, nor what the banner says.

Lately it has been argued that leaving the banner information intact
helps the administrator more than it hurts.  Having the version
information available allows an admin an easy way to poll his systems to
see which are vulnerable.  Without that ability, the admin is more
likely to leave out of date/vulnerable software running.

If you've changed your TCP/IP stack characteristics, you may actually
make yourself more insecure.  I remember some people started emulating
really old and obscure systems stacks. This emulation actually
reintroduced predictable sequence numbers, making their systems
vulnerable to hijacking.

Obfuscation does not protect your system/service. There is no measurable
benefit in blocking OS Detection or changing banners.

Robert

--
Robert E. Lee
Chief Security Officer
Outpost24 - One Step Ahead
http://www.outpost24.com

phone: +46-455-61-2320
fax  : +46-455-1-3960
email: robert () outpost24 com

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------